 Hello, welcome everyone to the previous presentation of the AWS Startup Showcase. This is season two episode four of the ongoing series covering exciting startups from the AWS ecosystem. We're here to talk about cybersecurity. I'm your host, John Furrier, with joined by two great CUBE alumni, Liz Rice, who's the chief open source officer at ISO Valon and Mark Nunn and Coven, who's the distinguished cloud strategist at Laceworks. Folks, thanks for joining me today. Hi, Tasha. You're in the UK, Mark. Welcome back to the US. I know you were overseas as well. Thanks for joining in this panel to talk about, set the table for the cybersecurity showcase. You guys are experts out in the field. Liz, we've had many conversations with the rise of open source and all the innovations coming from out in the open source community. Mark, we've been going to the cover and the events, looking at all the announcements. We're kind of on this next generation security conversation. And it's kind of a do over in progress kind of happening every time we talk. Security in the cloud is what people are talking about. Amazon web services had reinforced, which was more of a positive vibe of, hey, we're all in it together. Let's participate, share information. And they talk about incidents, not breaches. And then you got black hat just happened and they're like, everyone's getting hacked. It's really interesting as we report that. So this is a new market that we're in. People are starting to think differently but still have to solve the same problems. How do you guys see the security in the cloud era unfolding? Well, I guess it's always going to be an arms race, isn't it? Everything that we do to defend cloud workloads becomes a new target for the bad guys. So this is never going to end. We're never going to reach a point where everything is completely safe. But I think there's been a lot of really interesting innovations in the last year or two. There's been a ton of work looking into the security and the supply chain. There's been a ton of new tooling that takes advantage of technology that I'm really involved with and very excited about called the EVPF. A continuation of this new generation of tooling that can help us observe when security issues are happening and also prevent malicious activities. And a ton of open source activity. Scale is a big factor now. It's becoming a competitive advantage on one hand. APIs have made the cloud great. Now you got APIs being hacked. So all the goodness of cloud has been great but now we've got next level scale. It's hard to keep up with everything. And so you start to see new ways of doing things. What's your take? Yeah, it is. And everything that's old is new again. And so as you start to see data and business workloads move into new areas, you're going to see a cyber crime and security activity move with them. And I love Liz calling out EVPF and open source efforts because what we've really seen to contrast that sort of positive and negative attitude is that as more people come to the security table, as more developers, as more executives are aware and the accessibility of these great open source tools, we're seeing that shift in approach of like, hey, we know we need to find a balance. So let's figure out where we can have a nice security outcome and still meet our business needs as opposed to the more, let's say, to be polite traditional security view that you see at some other events where it's like, it's this way or no way. And so I love to see that positivity and that collaboration happening. You know, Liz, this brings up a good point. We were talking at our super cloud event we had here when we were discussing the future of how clouds emerging. One of the conversations that Adrian Cockcroft brought up who's now retired from AWS from with Netflix, you know, Adrian big open source fan as well, he was pointing out that every CIO or CSO will buy an abstraction layer. You know, they love the dream and vendors sell the dream, so to speak. But the reality is not, it's not a lot of uptake because it's complex and there's a lot of non-standard things per vendor. Now we're in an era where people are looking for some standardization, some clean, safe ways to deploy. So what's the message to CSOs and CIOs and CXOs out there around EBPF, things like that that are emerging because it's almost top down was the old way. Now it's bottoms up with open source is seeing the shift. I mean, it's complete flipping the script of how companies are buying. Yeah, I mean, we've seen with the whole cloud native movement how people are, rather than, you know, having like IETF standards, we have more of a de facto collaborative kind of standardization process going on so that things like Kubernetes become the de facto standard that we're all using. And then that's helping enterprises be able to run their workloads in different clouds, potentially in their own data centers as well. You know, we see things like EKS anywhere, which is allowing people to run their workloads in their data center in exactly the same way as they're running it in AWS. And that kind of, that sort of leveling of the planning field, if you like, can help enterprises apply the same tooling and that's going to always help with security if you can have a consistent approach wherever you're running your workloads. Well, let's take a minute to explain EBPF, you know, the Berkeley packet filtering technology people know from trace dumps and whatnot. It's all kind of been around for a while, but what is it specifically? Can you take a minute to explain EBPF and what does it mean for the customer? Yeah, so you mentioned the packet filtering acronym and honestly these days I tell people to just forget that because it means so much more for what EBPF allows you to do now is to run custom programs inside the kernel. So we can use that to change the way that the kernel behaves and because the kernel has visibility over every process that's running across a machine, a virtual machine or a bare metal machine, having security tooling and observability tooling that's written using EBPF and sitting inside the kernel. It has this great perspective and ability to observe and secure what's happening across that entire machine. This is like a step change in the capabilities really of security tooling. And it means we don't have to rely on things like kernel modules which traditionally people have been quite worried about with good reason. EBPF is- From a vulnerability standpoint you mean, right? From a reliability standpoint. From a vulnerability standpoint, but even just from the point of view that kernel modules, if they have bugs in them, a bug in the kernel will bring the machine to a halt. And one of the things that's different with EBPF is EBPF programs go through a verification process that ensures that they're safe to run, that happens dynamically and ensures that the program cannot crash, will definitely run to completion, all the memory access is safe. It gives us this very reassuring platform to use for building these kernel-based tools. And what's the bottom line for the customer and the benefit to the organization? I think the bottom line is this new generation of really powerful tools that are very high performance that have this perspective across the whole set of workloads on a machine that don't need to rely on things like a side car model which can add to a lot of complexity that was perfectly rational choice for a lot of security tools and observability tools. But if you can use an abstraction that lives in the kernel, things are much more efficient and much easier to deploy. So I think that's really what the enterprises are gaining. Simpler to deploy, easier to manage, lower overhead set of tools. That's the dream they want, that's what they want. Mark, this is whether the trade-offs that comes up, we were talking about the SuperCloud and all kinds, even at AWS, you know, you can have SuperCloud but you got SuperHackers as well. As innovation happens on one side, the hackers are innovating on the other and you started to see a lot of advances in the lower level. AWS with their silicon and strategies are continuing to happen and be stronger, faster, cheaper, you know, better, better down the lower levels at the network layer. All these things are innovating, but this is where the hackers are going too, right? So it's like, you know, it's a double-edged sword. Yeah, and it always will be, you know, and that's the challenge of technology is sort of the advancement for one is an advancement for all. But I think, you know, while Liz hit the technical aspects of the EVPF spot on, what I'm seeing with enterprises and in general with the market movement is all of those technical advantages are increasing the confidence in some of the security tooling. So, you know, the long sort of anecdote or warning in security has always been things like intrusion prevention systems where, you know, they will look at network traffic and drop things they think bad. Well, for decades, people have always deployed them in detect-only mode and that's always a horrible conversation to have with the board saying, well, I had this tool in place that could have stopped the attack, but I wasn't really confident that it was stable enough to turn on. So it just warned me that it had happened after the fact and with the stability and the performance that we're seeing out of things based on technologies like EVPF, we're seeing that confidence increase. So people are not only deploying this new level of tooling, but they're confident that it's actually providing the security at almost and that's giving not necessarily a leg up, but at least that level of parity with that push forward that we're seeing, you know, similar on the attack side because attackers are always advancing as well. And I think that confidence and that in sort of, you know, reliability on the tooling can't be underestimated because that's really what's pushing things forward for security outcomes. Well, one of the things I want to get your both perspective on real quick and you kind of segue into this next set of conversations is with DevOps success, Dev and Ops, it's kind of done, right? We're all happy. We're seeing DevOps being so now DevSecOps. So CSOs were like kind of old school, buy a bunch of tools, we have a vendor and with cloud native, Liz, you mentioned this earlier, accelerating the developers are even driving the standards more and more. So shifting left is a security paradigm. So tooling, Mark, you're on top of this too. Tooling versus how do I organize my team? What are the processes? How do I keep the CICD pipeline going higher velocity? How can I keep my app developers programming faster? And as Adrian Cockruff said, they don't really care about locking. They want to go faster. It's the Ops teams that have to deal with everything. So, and now security teams have to deal with the speed and velocity. So you're seeing a new kind of step function ratchet game where Ops and security teams who are living DevOps are still having to serve the Devs and the Devs need more help here. So how do you guys see that dynamic in security? Because this is clearly the shift left cloud native trend impacting the companies. Cause now it's not just shifting left for developers. It's how does that ripple effect into the organization? And the security posture. We see a lot of organizations who now have what they would call a platform team, which is something similar to maybe what would have been an Ops team and a security team, where really their role is to provide that platform that developers can use so that they can concentrate on the business function that they don't have to really think about the underlying infrastructure. Ideally, they're using whatever common definition for their applications. And then they just roll it out to a cloud somewhere and they don't have to think about where that's operating. And then that platform team may have remit that covers, not just the compute, but also the networking, the common set of tooling that allows people to debug their applications as well as securing them. Mark, this is a big discussion because one, I love the team process collaboration, but where's the team? We've got a skills gap going on too, right? So in all of this is a lot of action happening. What's your take on this dynamic of tooling versus process collaboration for security success? Yeah, it's tough. And I think what we're starting to see is, and you called it out, a spot on is that, the developers are all about dynamic change and rapid change and operations and security tend to like stability and considered change in advance. And the business needs that needle to be threaded. And what we're seeing is sort of with these new technologies and with the ideas of finally moving past multi-cloud into as you guys call super cloud, which I absolutely love as a term of, let's get the advantage of all these things. What we're seeing is people have a higher demand for the outputs from their tooling and to find that balance of the process. I think it's acknowledged now that you're not gonna have complete security. We've gotten past that. It's not a yes or no binary thing. It's let's find that balance and risk. So if we are deploying tooling, whether that's open source or commercial or something we built ourselves, what is the output and who is best to take action on that output? And sometimes that's gonna be the developers because maybe they can just fix their architecture so that it doesn't have a particular issue. Sometimes that's gonna be those platform teams saying like, hey, this is what we're gonna apply for everybody so it's a baseline standard. But the good news is that those discussions are happening and I think people are realizing that it's not a one size fits all. 10 years ago it was sort of like, hey, we've got a blueprint and everyone does this. That doesn't work. And I think that being out in the open really helps deliver these better outcomes because it isn't simple. It's always gonna be an ongoing discussion because what we decide today isn't gonna be the same thing in a week from now when we're a sprint ahead and we've made a whole bunch of changes on the platform and in our code. I think the cultural change is real and I think this is hard for security because you got so much current action happening that's really important to the business that it's hard to just kind of do a reset without having any collateral damage. So you kind of got to mitigate and manage all the current situation and then try to build a blueprint for the future and transform into the next level. And it kind of reminds me of, I'm dating myself, but back in the days you had open source was new and the common enemy was proprietary, non-innovative old guard kind of mainframe, mini computer, kind of proprietary noses, proprietary everything. Here, there is no enemy. The clouds are doing great, right? They're leaning in, open source is at all time high and not stopping, it's now standard. So open is not a rebel. It's not the rebel anymore, it's the standard. So you have the innovation happening in open source Liz and now you have large scale cloud and this kind of is a cultural shift, right? How people are buying, evaluating product and implementing solutions. And when I say new, I mean like new within the decades or a couple decades and it's not like open source has not been around, but like we're seeing new things emerge that are pretty super cool in the sense that you have projects defining standards, new things are emerging. So the CIO decision-making process on how to structure teams and how to tackle security is changing. And I think that the fact that we're using why have IT department? I mean, you just have a security department and a dev team. I think the fact that we're using so much more open source software is a big part of this cultural shift where, there are still a huge ecosystem of vendors involved in security tools and observability tools and Mark and I both represent vendors in those spaces. But the rise of open source tools means that you can start with something pretty powerful that you can grow with as you're experimenting with the security tooling that works for you. You don't have to kind of pay a giant sum to get a sort of black box. You can actually understand the open source elements of the tooling that you're going to use and then build on that and get the enterprise features when you need those. And I think that cultural change makes it much easier for people to work security in from the get go and really do that shift left that we've been talking about for the last few years. And I think one of the things to your point not only can you figure out what's in the open source code and then build on top of it, you can also leave it too. You can go to something better, faster. So the switching costs are a lot lower than a lock-in from a vendor where you do all the big POCs and the pilots and Mark, this is changing the game. I mean, I would just be bold enough to say, IT is going to be irrelevant in the sense of if you got DevOps and it works and you got security teams, do you really need IT? Cause the DevOps is the IT. So if everyone goes to the cloud operations, what does IT even mean? Yeah, and it's a very valid point. And I think what we're seeing is where IT is still being successful, especially in large companies is sort of the economy of scale. If you have enough of the small teams doing the same thing, it makes sense to maybe take one tool and scale it up because you've got 20 teams that are using it. So instead of having 20 teams running, you get one team to run it. On the economic side, you can negotiate one contract if it's a purchase tool. So there is still a place for it, but I think what we're seeing and in a very positive way is that smaller works better when it comes to this because really what the cloud has done and what open source continues to do is reduce the barrier to entry. So a team of 10 people can build something that it took a hundred people a decade ago. And that's wonderful. And that opens up all these new possibilities. We can work faster, but we do need to rethink it. And at Reinforce from AWS, they had a great track about how they're approaching it from people side of things with their security champions idea. And it's exactly about this, is embedding high end security talent in the teams who are building it. So that changes the central role and the central people get called in for big things like an incident response, right? Or a massive audit or reviews, but the day-to-day work is being done in context. And I think that's the real key is they've got the context to make smarter security decisions, just like the developers and the operational work is better done by the people who are actually working on the thing as opposed to somebody else because of that centralized thing, it's just communication overhead most of the time. I love chatting with you guys because there's so much experts on the field to put my positive hat on around IT. And remember the old argument of, oh, automation technology is going to kill the bank teller. There's actually more tellers now than ever before. So the ATM machine didn't kill that. So I think IT will probably reform from a human resource perspective. And I think this is kind of where the CISO conversation kind of comes full circle, Liz and Mark, because, okay, let's assume that this continues to trajectory. Open source, DevOps, cloud scale, hybrid. It's a refactoring of personnel. So you're going to have DevOps driving everything. So now the IT team becomes a team. So most CISOs we talked to, or CXOs, is how do I deploy my teams? How do I structure things, my investment in people and machines and software in a way that I get my return? At the end of the day, that's what they live for and do it securely. So this is the CISOs kind of thought process. How do you guys react to that? What's the message to CISOs? Because they have a lot of companies to look at here and in the marketplace, they got to spend some money. They got to get a return. They got to reconfigure. What's your advice, Liz, what's your take on then? Mark, go to Mark. It's a really great question. I mean, I think cloud skills, cloud engineering skills, cloud security skills have never been more highly valued and I think investing in training people to understand cloud that there are tons of really great resources out there to help ramp people up on these skills. And the CNTF, AWS, there's tons of organizations who have really great courses and exams and things that people can do to really level up their skills, which is fantastic right from a grassroots level, through to the sort of most widely deployed global enterprise. I think we're seeing a lot of people very excited to develop these skills. Mark, what's your take for the CISO, the CXO out there? They're scratching their head. They're going, okay, I need to invest. DevOps is happening. I see the open source. I'm now got to change over. Yeah, I lift and shift some stuff. Now I got to refactor my business or I'm dead. What's your advice? I think the key is longer term thinking. So I think where people fell down previously was, okay, I've got money, I can buy tools, roll them out. Every tool you roll out has not just an economic cost but a people cost. As Liz said, those people with those skills are in high demand. And so you want to make sure that you're getting the most value out of your people but your tooling. So as you're investing in your people, you will need to roll out tools but they're not the answer. The answer is the people to get the value out of the tools. So hold your tools to a higher standard, whether that's commercial open source or something from the CSP to make sure that you're getting actionable insights and value out of them that your people can actually use to move forward. And it's that balance between the two. But I love the fact that we're finally rotating back to focus more on the people because really at the end of the day that's what's going to make it all work. Yeah, the hybrid work, people process is the key. The super cloud brings up the conversation of where we're starting to see maturation into OpEx models where CapEx is a gift from the clouds but it's not the end all be all. Companies are still responsible for their own security. At the end of the day, you can't lean on AWS or Azure. They have infrastructure and software but at the end of the day, every company has to maintain their own. Certainly with hybrid and edge coming, it's here. So this whole concept of IT, CXO, CIO, CISO, CSO, I mean, this is hotter than ever in terms of like real change. What's your reaction to that? You know, I was just reading this morning that the cost of ensuring against data breaches is getting dramatically more expensive. So organizations are going to have to take steps to implement security. You can't just sort of throw money at the problem. You're going to actually have to throw people and technology at the problem and take security really seriously. There is this whole ecosystem of companies and folks who are really excited about security and here to help. So there's a lot of people interested in having that conversation to help those CSOs secure their deployments. Mark, your reaction. Yeah, I think anything that causes us to question what we're doing is always a positive thing. And I think everything you brought up really comes down to remembering that no matter what and no matter where your data is always your data. And so you have some level of responsibility that just changes depending on what system you're using. And I think that's really shifting, especially in the CSO or the CISO mindset to go back to the basics where it used to be information security and not just cybersecurity. So whether that information and that data is sitting on my desk physically in a system in our data center or in the cloud somewhere, it's looking holistically and that's why we can keep coming back to people. That's what it's all about. And when you step back there, you start to realize there's a lot more trade-offs. There's a lot more levers that you can work on to deliver the outcome you want to find that balance that works for you. Cause at the end of the day, security is just all about making sure that whatever you built in the systems you're working with do what you want them to do and only what you want them to do. Well, Liz and Mark, thank you so much for your expert perspective. You're in the trenches and we appreciate your time and contributing with theCUBE and being part of our showcase. For the last couple of minutes, let's dig into some of the things you're working on. I know network policies around Kubernetes, Liz, you know, EKS anywhere has been fabulous with Lambda and serverless just seeing some cool things go on there. Mark, you're at Lacework, a very successful company and looking at a large scale, observability, signaling and management, all kinds of cool things around, you know, native cloud services and microservices. Liz, give us an update. What's going on over there at Isovalent? Yeah. So Isovalent is the company behind the Cilium networking project. It's best known as a Kubernetes networking plugin. But we've seen huge amount of adoption of Cilium. It's really kind of skyrocketed since we became an incubating project in the CNCF. And now we're extending to using EBPF to not just do networking, but incredibly in-depth observability and security observability. We have a new sub project called Tetragon that gives you this amazing ability to see out of policy behavior. And again, because it's using EBPF, we've got the perspective of everything that's happening across the whole machine. So I'm really excited about the innovations that are happening here. Well, they're lucky to have you. You've been a great contributor to the community. We've been following your career for very, very long time. And thanks for everything that you do. Really appreciate it. Thanks. Thank you. Mark, LaceWorks, we've been following you guys. What are you up to these days? You know, see you're on Twitter, you're very prolific. You're also live tweeting all the events with us as well. What's going on over there at LaceWorks and what's going on in your world? Yeah, LaceWorks, we're still, you know, focusing on the customer, helping deliver good outcomes across a cloud when it comes to security. You know, really looking at their environments and helping them understand, you know, from their data that they're generating off their systems and from the cloud usage as to what's actually happening. And that pairs directly to the work that I'm doing, the community looking at, you know, just security as a practice. So a lot of that pulling people out of the technology, looking at the process and saying, hey, we have this tech for a reason. So that people understand what they need in place from a skill set to take advantage of the great work that folks like Liz and the community are doing because we've got these great tools. They're outputting all this great insights. You need to be able to take actions on top of that. So it's always exciting, you know, more people coming into security with a security mindset. Love it. Well, thanks so much for this great conversation. Every board should watch this video. Every CISO, CIO, CSO, great conversation. Thanks for unpacking and making something very difficult, clear to understand. Thanks for your time. Pleasure. Thank you. The AWS startup showcase season two, episode four of the ongoing series, covering the exciting startups from the AWS ecosystem. We're talking about cybersecurity, this segment, every quarter episode we do a segment around a category and we go deep, we feature some companies and talk to the best people in the industry to help you understand that. I'm John Furrier, your host. Thanks for watching.